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Event-B provides a flexible framework for stepwise system development via refinement. The frame- 
work supports steps for (a) refining events (one-by-one), (b) splitting events (one-by-many), and (c) 
introducing new events. In each of the steps events can moreover possibly be anticipated or conver- 
gent. All such steps are accompanied with precise proof obligations. Still, it remains unclear what 
the exact relationship - in terms of a behaviour-oriented semantics - between an Event-B machine 
and its refinement is. In this paper, we give a CSP account of Event-B refinement, with a treatment 
for the first time of splitting events and of anticipated events. To this end, we define a CSP seman- 
tics for Event-B and show how the different forms of Event-B refinement can be captured as CSP 
refinement. 



1 Introduction 

Event-B HI provides a framework for system development through stepwise refinement. Individual 
refinement steps are verified with respect to their proof obligations, and the transitivity of refinement 
ensures that the final system description is a refinement of the initial one. The refinement process al- 
lows new events to be introduced through the refinement process, in order to provide the more concrete 
implementation details necessary as refinement proceeds. 

The framework allows for a great deal of flexibility as to cover a broad range of system developments. 
The recent book [ 1 ] comprising case studies from rather diverse areas shows that this goal is actually met. 
The flexibility is a result of the different ways of dealing with events during refinement. At each step 
existing events of an Event-B machine need to be refined. This can be achieved by (a) simply keeping 
the event as is, (b) refining it into another event, possibly because of a change of the state variables, or 
(c) splitting it into several event^] Furthermore, every refinement step allows for the introduction of new 
events. To help reasoning about divergence, events are in addition classified as ordinary, anticipated or 
convergent. Anticipated and convergent events both introduce new details into the machine specification. 
Convergent events must not be executed forever, while for anticipated events this condition is deferred 
to later refinement steps. All of these steps come with precise proof obligations; appropriate tool support 
helps in discharging these (3l|2l. Event-B is essentially a state-based specification technique, and proof 
obligations therefore reason about predicates on states. 

Like Event-B, CSP comes with a notion of refinement. In order to understand their relationship, 
these two refinement concepts need to be set in a single framework. Both formalisms moreover support 
a variety of different forms of refinement: Event-B by means of several proof obligations related to 
refinement, out of which the system designer chooses an appropriate set; CSP by means of its different 

'A fourth option is merging of events which we do not consider here. 
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semantic domains of traces, failures and divergences. The aim of this paper is to give a precise account 
of Event-B refinement in terms of CSP's behaviour-oriented process refinement. This will also provide 
the underlying results that support refinement in the combined formalism Event-B ||CSP. Our work is 
thus in line with previous studies relating state-based with behaviour-oriented refinement (see e.g. O 
9, 4]). It turns out that CSP supports an approach to refinement consistent with that of Event-B. It 
faithfully reflects all of Event-B 's possibilities for refinement, including splitting events and new events. 
It moreover also deals with the Event-B approach of anticipated events as a means to defer consideration 
of divergence-freedom. Our results involves support for individual refinement steps as well as for the 
resulting refinement chain. 

The paper is structured as follows. The next section introduces the necessary background on Event-B 
and CSP. Section 3 gives the CSP semantics for Event-B based on weakest preconditions. In Section 4 
we precisely fix the notion of refinement used in this paper, both for CSP and for Event-B, and Section 
5 will then set these definitions in relation. It turns out that the appropriate refinement concept of CSP in 
this combination with Event-B is infinite-traces-divergences refinement. The last section concludes. 

2 Background 

We start with a short introduction to CSP and Event-B. For more detailed information see fPTll and U 
respectively. 

2.1 CSP 

CSP, Communicating Sequential Processes, introduced by Hoare ifTTl is a formal specification language 
aiming at the description of communicating processes. A process is characterised by the events it can 

engage in and their ordering. Events will in the following be denoted by a\,ci2,... or evt0,evtl, 

Process expressions are built out of events using a number of composition operators. In this paper, we 
will make use of just three of them: interleaving (Pi \ \ \ P2), executing two processes in parallel without 
any synchronisation; hiding (P \ N), making a set N of events internal; and renaming (f(P) and/ -1 (P)), 
changing the names of events according to a renaming function/. If/ is a non-injective function, /~ 1 (P) 
will offer a choice of events b such that f(b) = a whenever P offers event a. 

Every CSP process P has an alphabet aP. Its semantics is given using the Failures/Divergences/Infinite 
Traces semantic model for CSP. This is presented as in |[T6l or FDI in [ 17"]. The semantics of a process 
can be understood in terms of four sets, T,F,D,I, which are respectively the traces, failures, divergences, 
and infinite traces of P. These are understood as observations of possible executions of the process P, in 
terms of the events from aP that it can engage in. 

Traces are finite sequences of events from P's alphabet: tr G aP*. The set traces(P) represents the 
possible finite sequences of events that P can perform. Failures will not be considered in this paper and 
are therefore not explained here. 

Divergences are finite sequences of events on which the process might diverge: perform an infinite 
sequence of internal events (such as an infinite loop) at some point during or at the end of the sequence. 
The set divergences(P) is the set of all possible divergences for P. Infinite traces u G aP m are infinite 
sequences of events. The set infinites(P) is the set of infinite traces that P can exhibit. For technical 
reasons it also contains those infinite traces which have some prefix which is a divergence. 

Definition 2.1 A process P is divergence-free if divergences (P) = {}. 
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machine Mq 
variables v 
invariant I(v) 
events initO,evtQ, . . . 
end 



evtO = 



when 



G(v) 



then 



v:|BAO(v,v') 



end 



Figure 1 



Template of an Event-B machine and an event. 



We use tr to refer to finite traces. These can also be written explicitly as {01,02, ■ ■ ■ ,o n ). The empty trace 
is (), concatenation of traces is written as tr\ ^ tr%. We use u to refer to infinite traces. Given a set of 
events A, the projections tr \ A and u \ A are the traces restricted to only those events in A. Note that u \ A 
might be finite, if only finitely many A events appear in u. Conversely, tr\A and u \ A are those traces 
with the events in A removed. The length operator #tr and #u gives the length of the trace it is applied 
to. As a first observation, we get the following. 

Lemma 2.2 IfP is divergence-free, and for any infinite trace u ofP we have #(u \ A) = 00, then P\A is 
divergence-free. 

Proof 2.3 Follows immediately from the semantics of the hiding operator. 

Later, we furthermore use specifications on traces or, more generally, on CSP processes. Specifications 
are given in terms of predicates. If S is a predicate on a particular semantic element, then we write P sat S 
to denote that all relevant elements in the semantics of P meet the predicate S. For example, if S(u) is a 
predicate on infinite traces, then P sat S(u) is equivalent to Vm € infinites(P) . S(u). 

2.2 Event-B 

Event-B [fl] [131 is a state -based specification formalism based on set theory. Here we describe the basic 
parts of an Event-B machine required for this paper; a full description of the formalism can be found in 



A machine specification usually defines a list of variables, given as v. Event-B also in general allows 
sets s and constants c. However, for our purposes the treatment of elements such as sets and constants 
are independent of the results of this paper, and so we will not include them here. However, they can be 
directly incorporated without affecting our results. 

There are many clauses that may appear in Event-B machines, and we concentrate on those clauses 
concerned with the state. We will therefore describe a machine Mq with a list of state variables v, a state 
invariant I(v), and a set of events evtO, ... to update the state (see left of Fig{T]). Initialisation is a special 



A machine Mo will have various proof obligations on it. These include consistency obligations, that 
events preserve the invariant. They can also include (optional) deadlock-freeness obligations: that at 
least one event guard is always true. 

Central to an Event-B description is the definition of the events, each consisting of a guard G(v) 
over the variables, and a body, usually written as an assignment S on the variables. The body defines 
a before-after predicate BA(v,v') describing changes of variables upon event execution, in terms of the 
relationship between the variable values before (v) and after (v')- The body can also be written as v :| 



ID. 



event initO. 
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BA(y,v'), whose execution assigns to v any value v' which makes the predicate BA(y,v') true (see right 
of Fig. [T). 

3 CSP semantics for Event-B machine 

Event-B machines are particular instances of action systems, so Morgan's CSP semantics for action sys- 
tems |[T4l allows traces, failures, and divergences to be defined for Event-B machines, in terms of the 
sequences of events that they can and cannot engage in. Butler's extension to handle unbounded non- 
determinism [6] defines the infinite traces for action systems. These together give a way of considering 
Event-B machines as CSP processes, and treating them within the CSP semantic framework. In this 
paper we use the infinite traces model in order to give a proper treatment of divergence under hiding. 
This is required to establish our main result concerning divergence-freedom under hiding of new events. 
Consideration of finite traces alone is not sufficient for this result. 

Note that the notion of traces for machines is different to that presented in [H, where traces are 
considered as sequences of states rather than our treatment of traces as sequences of events. 

The CSP semantics is based on the weakest precondition semantics of events. Let S be a statement 
(of an event). Then [S]R denotes the weakest precondition for statement S to establish postcondition R. 
Weakest preconditions for events of the form " when G(v) then S(v) end" are given by considering 
them as guarded commands: 

[ when G(v) then S(v) end]P = G(v) [S(v)]P 

Events in the general form " when G(v) then v :| BA(v, V) end" have a weakest precondition semantics 
as follows: 

[when G(v) then v :| BA(v,v') end]/ 5 = G(v) Vx.(BA(y,x) =>P[x/v]) 

Observe that for the case P = true we have 

[when G{v) then v:|BA(v,v') end]true = true 

Based on the weakest precondition, we can define the traces, divergences and infinite traces of an Event-B 
machine^ 

Traces The traces of a machine M are those sequences of events tr = (a\, . . . ,a n ) which are possible for 
M (after initialisation init): those that do not establish/a/se: 

traces{M) = {tr \ ^[init;tr]false} 

Here, the weakest precondition on a sequence of events is the weakest precondition of the sequen- 
tial composition of those events: [{at,. . . ,a n )]P is given as [a\; ... ; a n ]P = [ai](. . . ([«„]/') . . .). 

Divergences A sequence of events tr is a divergence if the sequence of events is not guaranteed to 
terminate, i.e. ->[init; tr}true. Thus 

divergences(M) = {tr \ ^[init;tr]true} 

Note that any Event-B machine M with events of the form evt given above is divergence-free. 
This is because \evi\true = true for such events (and for init), and so [init; tr]true = true. Thus no 
potential divergence tr meets the condition ->[init; tr]true. 

2 Failures can be defined as well but are omitted since they are not needed for our approach. 
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Infinite Traces The technical definition of infinite traces is given in (6), in terms of least fixed points of 
predicate transformers on infinite vectors of predicates. Informally, an infinite sequence of events 
u = (uq,u\, . . .) is an infinite trace of M if there is an infinite sequence of predicates P, such that 
-i[/m'?](-iPo) (i- e - some execution of init reaches a state where Po holds), and P, =$> -i[wj](-iV|_i) 
for each i (i.e. if P; holds then some execution of Ui can reach a state where P, + i holds). 

infinites(M) = {u | there is a sequence(P,), G N • ~~ l [init] (~Po) A 

foralH.Pi^^HVi)} 

These definitions give the CSP Traces/Divergences/Infinite Traces semantics of Event-B machines in 
terms of the weakest precondition semantics of events. 

4 Refinement 

In this paper, we intend to give a CSP account of Event-B refinement. The previous section provides us 
with a technique for relating Event-B machines to the semantic domain of CSP processes. Next, we will 
briefly rephrase the refinement concepts in CSP and Event-B before explaining Event-B refinement in 
terms of CSP refinement. 

4.1 CSP refinement 

Based on the semantic domains of traces, failures, divergences and infinite traces, different forms of 
refinement can be given for CSP. The basic idea underlying these concepts is - however - always the 
same: the refining process should not exhibit a behaviour which was not possible in the refined process. 
The different semantic domains then supply us with different forms of "behaviour". In this paper we will 
use the following refinement relation, based on traces and divergences: 

P Ero/ Q = traces(Q) C traces(P) 

A divergences(Q) C diver gene es{P) 
A infinites(Q) C infinites(P) 

Refinement in Event-B also allows for the possibility of introducing new events. To capture this aspect in 
CSP, we need a way of incorporating this into process refinement. As a first idea, we could hide the new 
events in the refining process. This potentially introduces divergences, namely, when there is an infinite 
sequence of new events in the infinite traces. In order to separate out consideration of divergence from 
reasoning about traces, we will use P 1 1 1 RUNn as a lazy abstraction operator instead. RUNn defines a 
divergence free process capable of executing any order of events from the set N. This will enable us to 
characterise Event-B refinement introducing new events in CSP terms. The following lemma gives the 
relationship between refinement involving interleaving, and refinement involving hiding. 

Lemma 4.1 I/Pq \ \\ RUNn Erz>/Pi andN C\(xPq = {} andP\ \ N is divergence-free, then P$ Qtdi Pi \ 
N. 

Proof: Assume that (1) P 1 1 1 RUN N Qtdi Pi , (2) NC\ aP Q = {} and (3) Pi \ N is divergence-free. We 
need to show that the (finite and infinite) traces as well as divergences of Pi \ N are contained in those 
ofPo- 
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evtO - evtl = 

refines evtO 

when 

> status st 

when 

then , . 

v:|BAO(v,v') _ H[W) 

then 

611(1 I nil/ ,\ 

w :\ BA\(w,w ) 

end 



Figure 2: An event and its refinement 



Traces Let tr G traces{P\ \ N). By semantics of hiding there is some tr' G traces(Pi) s.t. tr 1 \ N = tr. 
By (1) ?r' G traces(Po \ \\ RUNn). By (2) and the semantics of ||| we get tr' \N G traces(Po) and 
thus fr G traces (Pq). 

Divergences By (3) divergences{P\ \ N) = {}, thus nothing to be proven here. 

Infinites Let u G infinites(P\ \N). By the semantics of hiding there is some u' G infinites(P\) such that 
u' \ N = u and #(u' \ N) = °°. By (1) «' G infinites(Po \ \\ RUNn) and by (2) and semantics of 
interleave we get u' \N = u G infinites (Pq). 

□ 

4.2 Event-B refinement 

In Event-B, the (intended) refinement relationship between machines is directly written into the machine 
definitions. As a consequence of writing a refining machine, a number of proof obligations come up. 
Here, we assume a machine and its refinement to take the following form: 

machine Mo machine Mi 

variables v refines Mo 

invariant I(v) variables w 

events initO, evtO, . . . invariant J(v, w) 

end events initl , evtl, . . . 

variant V(w) 

end 

The machine Mo is actually refined by machine M\ , written Mo =^ Mi , if the given linking invariant J on 
the variables of the two machines is established by their initialisations, and preserved by all events, in 
the sense that any event of Mi can be matched by an event of Mo (or skip for newly introduced events) 
to maintain /. This is the standard notion of downwards simulation data refinement [HI. We next look at 
this in more detail, and in particular give the proof obligations associated to these conditions. 

First of all, we need to look at events again. Figure [2] gives the shape of an event and its refinement. 
We see that an event in the refinement now also gets a status. The status can be ordinary (also called 
remaining), or anticipated or convergent. Convergent events are those which must not be executed 
forever, and anticipated events are those that will be made convergent at some later refinement step. 
New events must either have status anticipated or convergent. Both of these introduce further proof 
obligations: to prevent execution "forever" the refining machine has to give a variant V (see above in 
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Mi), and V has to be decreased by every convergent event and must not be increased by anticipated 
events. 

We now describe each of the proof obligations in turn. We have simplified them from their form in 
|[T3l by removing explicit references to sets and constants. Alternative forms of these proof obligations 
are given in (H Section 5.2: Proof Obligation Rules]. 

FIS_REF: Feasibility Feasibility of an event is the property that, if the event is enabled (i.e. the guard 
is true), then there is some after-state. In other words, the body of the event will not block when 
the event is enabled. 

The rule for feasibility of a concrete event is: 



I(v) AJ(v,w) AH(w) 




h 


FIS_REF 


3w'.BAl(w,w') 





GRD_REF: Guard Strengthening This requires that when a concrete event is enabled, then so is the 
abstract one. The rule is: 



I(v) AJ(v,w) AH(w) 




h 


GRD_REF 


G(v) 





INV—REF: Simulation This ensures that the occurrence of events in the concrete machine can be 
matched in the abstract one (including the initialization event). New events are treated as re- 
finements of skip. The rule is: 



I(v) 


AJ(v,w) AH(w) 


ABA\(w,w') 




h 


INV_REF 


3v> 


(fiA0(v,v ; ) AJ(v' 


w')) 





Event-B also allows a variety of further proof obligations for refinement, depending on what is appropri- 
ate for the application. The two parts of the variant rule WFD_REF below must hold respectively for all 
convergent and anticipated events, including all newly-introduced events. 

WFD_REF: Variant This rule ensures that the proposed variant V satisfies the appropriate properties: 
that it is a natural number, that it decreases on occurrence of any convergent event, and that it does 
not increase on occurrence of any anticipated event: 



I(v) AJ(v,w) AH(w) ABA\(w,W) 
V(w) G N A V(w') < V(w) 



WIT) KI I 

(convergent event) 



/(v) AJ(v,w) AH(w) AfiAl(w,w/) 
V(w) G N A V{W) ^ V(w) 



WFD REF 
(anticipated event) 
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We will use the refinement relation Mq =^ My to mean that the four proof obligations FIS_REF, GRD_REF, 
INV-REF, and WFDJIEF hold between abstract machine Mq and concrete machine My . 

5 Event-B refinement as CSP refinement 

With these definitions in place, we can now look at our main issue, the characterisation of Event-B 
refinement via CSP refinement. Here, we in particular need to look at the different forms of events in 
Event-B during refinement. Events can have status convergent or anticipated, or might have no status. 
This partitions the set of events of M into three sets: anticipated A, convergent C, and remaining events 
R (neither anticipated nor convergent). The alphabet of M, the set of all possible events, is thus given by 
ctM = A U C U R. In the CSP refinement, these will take different roles. 

Now consider an Event-B Machine Mq and its refinement Mi: Mq =<! M\. The machine Mq has 
anticipated events Aq, convergent events Co, and remaining events Rq, and Mi similarly has event sets 
At, Ci, and R\. Each event ev\ in M\ either refines a single event evo in Mq (indicated by the clause 
'refines cvq in the description of ev\) or does not refine any event of Mq. The set of new events Ny is 
those events which are not refinements of events in Mq. 

Mq =<! My thus induces a partial surjective function f\ : aM\ -w- ocMq where /i (ev\ ) = evo 44> evy refines evQ. 
Observe that aM\ is partitioned by/^ 1 (ocMq) and Ny . The rules for refinement between events in Event- 
B impose restrictions on these sets: 

1 . each event of Mq is refined by at least one event of My ; 

2. each new event in My is either anticipated or convergent; 

3. each event in My which refines an anticipated event of Mq is itself either convergent or anticipated; 

4. refinements of convergent or remaining events of Mq are remaining in My , i.e. they are not given a 
status. 

The conditions imposed by the rules are formalised as follows: 

1. ran(fy) = A UC U/? ; 

2. Ny QAyUCy, 

3. fy- l (A Q )CAyUCy, 

4. f- l (C UR Q ) =/f 1 (C )U/f 1 («o) =Ri. 

These relationships between the classes of events are illustrated in Figure [3] 

5.1 New events 

For the new events arising in the refinement, we can use the lazy abstraction operator via the RUN process 
to get our desired result, disregarding the issue of divergence for a moment. The following lemma gives 
our first result on the relationship between Event-B refinement and CSP refinement. 

Lemma 5.1 If Mq =<; My and the refinement introduces new events Ny and uses the mapping fy, then 
fy-\M ) \\\RUN Nl QTDlMy. 

Proof: We assume state variables of Mq and My named as given above, i.e. state variables of Mq are v and 
of My are w. Let tr = (ay, . . . ,a n ) G traces{My). We need to show that tr G traces (Mo) 1 1| RUNn^. 
First of all note that the interleaving operator merges the traces of two processes together, i.e., the traces of 
/j -1 (Mo) 1 1 1 RUNn 1 are simply those ofj\ (Mq) with new events arbitrarily inserted. The proof proceeds 
by induction on the length of the trace. 
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Figure 3: Relationship between events in a refinement step: f\ maps events in M\ to events in Mq that 
they refine. 



Induction base Assume n = 0, i.e., tr= (). By definition this means that the initialisation event initl has 
been executed bringing the machine Mi into a state w\ . By INV_REF (using init as event), we find 
a state vi such that J(v\, w\) and furthermore () G traces (Mq) and hence also in traces (f^ (Mq) 1 1 
RUN Nl ). 

Induction step Assume that for a trace tr = (a\ , . . . £ traces (M\ ) we have already shown that ?r G 
traces(f^ 1 (Mq) \\\RUNn x ) and this has led us to a pair of states Vj-\, Wj-i such that /(y/_i,w/_i). 
Now two cases need to be considered: 

1 . aj ^N\. Assume in Mi to be of the form 

when H(w) then w :| BA\(w,w') end 
and/i (c/) in Mo of the form 

when G(v) then v:|BA(v,v') end 

Since aj is executed in Wj-\ we have H(wj-\). By GRD_REF we thus get G(vy-i). Further- 
more, for Wj with BA\(wj-i,Wj) we find - by INV_REF - a state Vj such that J(vj,wj) and 

BA(y/_i,y/). Hence tr^ (aj) G traces(f[ l (Mq) \\\RUN Nl )- 

2. aj 6 ATi : Similar to the previous case. Here, a, refines skip and thus vy = vy-i and the event aj 
is coming from RUNNt ■ 

In the same way we can carry out a proof for infinite traces. For divergences it is even simpler as 
divergences (M \) = {}. □ 

This lemma can be generalised to a chain of refinement steps. For this, we assume that we are given a se- 
quence of Event-B machines M,- with their associated processes Pi, and every refinement step introduces 
some set of new events N,. 
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Theorem 5.2 If a sequence of processes Pi, mappings f, and sets Ni are such that 

folWWlRUN^ Qtdi P i+ i (1) 

for each i, then 

fn\- ■ ■ (fr\ P 0)) ■ ■ •) III RUN f- l (...J^ 1 (N 1 )...)U...Ufir 1 (N n . 1 )UN„ —TDI Pn 

Proof: Two successive refinement steps combine to provide a relationship between Pq and P2 of the 
same form as Line [T] above, as follows: 

fi\P{) \\\RUN N2 Qtdi Pi (given) 
fi 1 (/T 1 (Po) 1 1 1 RUN Nl ) 1 1 1 RUN N , Qtdi Pi (line ((T), transitivity of Q 
f2 l (f^( p o))\W R UN f - lm \\\RUN No Qtdi Pi {^:f-\P\\\Q)=r\P)\\\f-\Q)) 



f2 l {fi\Po))\\\RUN f - i[NiVN2 Qtdi Pi (Law: RUN A ||| RUN B = RUNaub) 



Hence the whole chain of refinement steps can be collected together, yielding the result. □ 



5.2 Convergent and anticipated events 

The previous result lets us relate the first and last Event-B machine in a chain of refinements. Due to 
the lazy abstraction operator (and the resulting possibility of defining refinement without hiding new 
events), we considered divergence free processes there: all processes P; representing Event-B machines, 
are divergence free by definition. However, Event-B refinement is concerned with a particular form of 
divergence and its avoidance. A sort of divergence would arise when new events (or more specifically, 
convergent events) could be executed forever, and this is what the proof rules for variants rule out. 

We would like to capture the impact of convergence and anticipated sets of events in the CSP seman- 
tics as well. To do so, we first of all define the specification predicate 

CA(C,R)(u) = (#(n \ C) = 00 #(« \ R) = 00) 

Intuitively, this states that all infinite traces having infinitely many convergent (C) events also have in- 
finitely many (R) remaining events (and thus cannot execute convergent events alone forever). In this 
case we say that the Event-B machine does not diverge on C events. 

Definition 5.3 Let M be an Event-B machine with its alphabet aM containing event sets C and R with 
CHR = {}. M does not diverge on C events ifM sat CA(C,R). 

Convergent events in Event-B machines only come into play during refinement. Thus a plain, single 
Event-B machine has no convergent events (C = {}) and thus trivially satisfies the specification predicate. 

Lemma 5.4 If Mq =<! M\, and M\ has convergent, anticipated, and remaining events C\, A\, and R\ 
respectively, then Mi sat CA(Ci,Ri) 

Proof: We prove this by contradiction. Assume ->M\ satCA(Ci,/?i). Then there is some u G infinites{M\ ) 
such that #(u \ C\) = °° and #(u \ R\) < °°. Then there must be some fro, u' such that u = fro ^ u' with 
u' G (Ci UAi) ffl (i.e. fro is a prefix of u containing all the R\ events). Moreover, #u' \ C\ = °°. 

Now since Mq =<! Mi we have by GRD_REF and INV_REF that there is some pair of states (y,w) 
(abstract and concrete state) reached after executing fro for which J(v,w) and I(v) is true. Furthermore, 
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V(w) is a natural number. Also by Mq =<; M\ we have an infinite sequence of pairs of states (vj,w,-) (for 
the remaining infinite trace u') such that 7(v,,w,). Since each event in u' is in A \ or C\ we have from 
WFD_REF that V{wi + \) ^ V(w{) for each i. Further, for infinitely many fs (i.e. those events in C\) 
we have V(w i+ i) < V(wi). Thus we have a sequence of values V(wi) decreasing infinitely often without 
ever increasing. This contradicts the fact that the V(wt) G N. □ 
A number of further interesting properties can be deduced for the specification predicate CA. 
Lemma 5.5 Let P be a CSP process and C, C',R C aP nonempty finite sets of events. 

1. If P sat CA(C,R) then f- l {P) sat CA{f-\C)J-\R)). 

2. If P sat CA(C,R) and NDC = {} then P \\\ RUN N sat CA(C,R). 

3. IfPsatCA(C,R) and P sat CA{C , C U R) then P sat CA{CU C',R). 

4. IfP sat CA(C,R) and Ct~)R = {} then P\C is divergence-free. 
Proof: 

1. Assume that u G infinites(f~ l (P)) and #(u \f~ l (C)) = °°. From the first we get/(w) G infinites(P). 
From the latter it follows that #(f(u) \ C) = °°. With P sat CA(C,R) we have #(f(u) \R) = °° and 
hence #(u \f~ l (/?)) = oo. 

2. Let u G infinites{P \\\ RUN N ) and #(u \ C) = °°. With A^n C = {} we get #((u \N) \ C) = °°. 
By definition of 1 1 1 we have u\N £ infinites (P) (u \ N is infinite since #((u\N) \ C) = °°). By 
P sat CA(C,P) we get #{{u \N)\R) = °°, hence #(m \ R) = °o. 

3. Let w G infinites(P) such that #(w f (CUC')) = °o. Both C and C are finite sets hence either 
#(u \ C) = infty or #(w f C) = °° (or both). In the first case we get #(u \ R) = °° by P sat CA(C, P). 
In the second case it follows that #(u \ (CUR)) = oo and hence again #(u \ C) = °° or directly 

#{u \R) =oo. 

4. First of all note that if P sat CA(C,R) then P is divergence free. Now assume that there is a trace 
tr G divergences[P \ C). Then there exists a trace u G infinites(P) such that tr = u \ C, and so 
#(m \ C) < oo. Hence #(u \ C) = °°. However, — as CflP = {} — #(w f P) / oo which contradicts 
P sat CA(C,P). 

□ 

The most interesting of these properties is probably the last one: it relates the specification predicate to 
the definition of divergence freedom in CSP. In CSP, a process does not diverge on a set of events C if 
P \ C is divergence-free. 

This gives us some results about the specification predicate for single Event-B machines and CSP 
processes. Next, we would like to apply this to refinements. First, we again consider just two machines. 

Lemma 5.6 Let Mq =4 M\ with an associated refinement function f\ and let Mq sat CA(Co,Po)- Then 
Mi sat CA(ff 1 (Co) U Ci , /f 1 (R )). 

Proof: Assumes G infinites{M\) and#(w \ (f^ l (C Q )UCi) = oo. We aim to establish that #(u \f^\R Q )) 



oo. Wehave#(« f/f 1 (C )) = °o or #(u \ C\) 



In the former case, Lemma 5. 1 yields that/i (u \f 1 (aMo)) G infinites (Mq). Then 



#(« r/f 1 (C ))=oo (given) 



#(f\{ u \f 1 (Co)) r Co) = oo (since renaming preserves length) 

(" \f' y (aM )) r C ) = oo (since C C aM ) 

tr^aMo)) t Ro) = - (by Mo sat CA(C ,P )) 

#(m f/ _1 (aMo)) \f~ l (Ro) = oo (since renaming preserves length) 

#(« r/f 1 (Ro)) = oo (since P C aM ) 
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In the latter case Lemma [5~4] yields that #{u \Ri) = °°. Then 

#(« \R 1 ) = °° 
#(« r/fH^oUCo)) = 00 (since R Y =/f 1 (C U7? () )) 

#(« r/r 1 ^)) = - v#( M r/r Hoo) = - 

The first disjunct is the desired result, the second is the one already treated above. 

□ 

Note that by Lemma 5.5 (4) the above result implies that the machine Mi does not diverge onf^ 1 (Co) U 
C\ , in particular Mo \ {f^ 1 (Co) U C\ ) is divergence-free. 

Similar to the previous case, we can lift this to chains of refinement steps. Consider the last result 
with respect to two refinement steps Mo ==! M\ ==! M2: 

M sat CA(C ,/?o) (given) 
f-\M Q ) sat CA(f-\C ),r l (R )) (lemma [53] (1)) 

f- [ (M Q )\\\RUN Nl sat CA^-^Co),/- 1 ^)) (lemma|53](2), 

M { sat CA^-^Co),/" 1 ^)) (lemma [5lT> 

/^(Mi) sat CAif^if-'iCo^J^if-^Ro))) (lemma [53] (1)) 

/^^MOIII/JCW^ sat CAif^if-HCo)),/^^ 1 ^))) (lemma [33] (2)) 

M 2 sat CA^-^-^Co)),/^ 1 ^ 1 ^))) (lemma[5T]> 

M 2 sat CA(C2U/ 2 _1 (Ci) ,f 2 ~ l (Ri)) (lemma [53]) 



Then by applying Lemma 5.5 3) to the final two lines, with 7? =f 2 1 (f x 1 (Rq)), C =f 2 1 if x 1 (Co)), and 
C = C 2 U/ 2 _1 (Ci), we obtain 

M 2 sat CA(C 2 U/ 2 - 1 (Ci)U/ 2 - 1 (/f 1 (C )),/ 2 - 1 (/r 1 (^o)) 

Thus if 

M M Y 4 ■ ■ ■ 4 M„ 
then collecting together all the steps yields that 

M n sat CA((f-\...f l - l (C Q )...)U...f- 1 (C n ^)UC n ),f- 1 (...f l - 1 (R )...)) (2) 



Finally, we would like to put together these results into one result relating the initial machine Mo to the 
final machine M n in the refinement chain. This result should use hiding for the treatment of new events, 
and - by stating the relationship between Mo and M„ \ {new events} via infinite-traces-divergences 
refinement - show that Event-B refinement actually does not introduce divergences on new events. For 
such chains of refinement steps we always assume that Ao = Co = {} (initially we have neither anticipated 
nor convergent events), and A n = {} (at the end all anticipated events have become convergent). 

For this, we first of all need to find out what the "new events" are in the final machine. Define gj j as 
the functional composition of the event mappings from/) to/: 

gij = fi\fi+\\ ■■■'>fj 
Then noting the disjointness of the union, by repeated application of 

CjWAjWRj = fr^Cj-i&Aj-i&Rj-^&Nj 
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Figure 4: Constructing NEW 




Figure 5: Constructing CON 

we obtain 

CjttAjttRj = gi](C iSA ttRo)iSg^(N l )\S...\Sg j - J l (Nj- 1 )\SN j 
Observe that this is a partition of Cj ttJAjfeJi?,-. Also, by repeated application of 

Rj = fj :W/ : ; 

we obtain 

RjVCj = gi}(Ro)Vgl}(C )ttg2 J l (C l )tt...ttg j -/(Cj- l )ttCj 

Observe that this is a partition of Cj^SRj. 

In a full refinement chain Mo =4 ... =4 M„ we have that Aq = {},Co = {}, and A„ = {}. Define 

NEW = g^ n (N 1 )U...Ug^ n (N M )UN n 

CON = gll l (C )U..Mg^(C j - 1 )UC n 

These constructions are illustrated in Figures [4] and [5] 

Then from Equation [5] above with j = n, and using Ao = Co = A n = {} we obtain 

C n VR„ = g^ n (R )UNEW 
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From Equation [4] above with j = nwe obtain 

C n \HR n = g^R^CON 

Hence NEW = CON. From Theorem |5.2| and Line ([2]) above respectively we obtain that 

f- 1 (. . . (ff 1 (Af )) . . .) 1 1 1 RUNnew ^tdi M n 

and M n sat CA(CON , fc 1 (■ . ./f 1 (#o) • • •) ) 

Lemma |53{ 4) yields that M„ \ CON is divergence-free, i.e., M n \ NEW is divergence-free. Hence by 
Lemma |4~T1 we obtain that 

f-\...(fi\M ))...) Qtdi M n \ NEW (5) 
or, equivalently, that the following theorem holds true. 

Theorem 5.7 Let Mq =<! M\ =4 ... =4 M n be a chain of refinement steps such that Aq = Co = {} and 
A n = {}, refining events according to functions f, and let NEW be the set of events as calculated above. 
Then 

Mo Qmfi (f 2 (- ■ JjMn \ NEW) . . .)) 

Proof: This follows from the result in Line[5]above, using the CSP law/f/ -1 (P)) = P. □ 

This result guarantees that Event-B refinement (a) does neither introduce "new traces on old events" nor 
(b) does it introduce divergences on new events. This gives us the precise account of Event-B refinement 
in terms of CSP which we were aiming at. 

6 Conclusion 

In this paper, we have given a CSP account of Event-B refinement. The approach builds on Butler's 
semantics for action systems [6]. Butler's refinement rules allow new convergent events to be introduced 
into action systems, so that refinement steps satisfy M, Qtdi (M+i \ A^'+i)> an d hiding new events does 
not introduce divergence. Abrial's approach to Event-B refinement generalises this approach, allowing 
new events to be anticipated as well as convergent, and also allowing splitting of events. Our approach 
to refinement using CSP semantics reflects this generalisation and thus extends Butler's, in order to 
encompass these different forms of event treatment in Event-B refinement. We do not yet handle merging 
events, and this is the subject of current research. 

Recently, an Event-B || CSP approach has been introduced |[T9l . It aims to combine Event-B ma- 
chine descriptions with CSP iTTTl control processes, in order to support a more explicit view of control. 
In this, it follows previous works on integration of formal methods Q |22l [15] [TU [T2J, which aim at 
complementing a state -based specification formalism with a process algebra. 

The account of refinement presented here provides the basis for a flexible refinement framework in 
Event-B ||CSP, and this is presented in EH . The semantics justifies the introduction of a new status 
of devolved, for refinement events which are anticipated in the Event-B machine but convergent in the 
CSP controller. This approach has been applied to an initial Event-B || CSP case study of a Bounded 
Retransmission Protocol ||20|| . We aim to develop investigate further case studies. We are in particular 
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interested in rinding out whether the work of showing divergence-freedom (and also deadlock-freedom) 
can be divided onto the Event-B and CSP part such that for some events convergence is guaranteed by 
showing the corresponding proof obligations in Event-B while for others we just look at divergence- 
freedom of the CSP process. The latter part could then be supported by model checking tools for CSP, 
like FDR Oa. 
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